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. Abstract. We present an accelerated Schoof-type point-counting algorithm for curves of genus 2 

equipped with an efhciently computable real multiplication endomorphism. Our new algorithm 
reduces the complexity of genus 2 point counting over a finite field ¥q of large characteristic 
from 0{\og^ q) to O(log^g). Using our algorithm we compute a 256-bit prime-order Jacobian, 
suitable for cryptographic applications, and also the order of a 1024-bit Jacobian. 
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1 Introduction 



cn 
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■ Cryptosystems based on curves of genus 2 offer per-bit security and efficiency comparable 

witli elliptic curve cryptosystems. However, many of the computational problems related to 
creating secure instances of genus 2 cryptosystems are considerably more difficult than their 
elliptic curve analogues. Point counting — or, from a cryptographic point of view, computing 
the cardinality of a cryptographic group — offers a good example of this disparity, at least for 
curves defined over large prime fields. Indeed, while computing the order of a cryptographic- 
\^ ' sized elliptic curve with the Schoof-Elkies-Atkin algorithm is now routine, computing the 

C5 ■ order of a comparable genus 2 Jacobian requires a significant computational effort [7, 9]. 

. In this article we describe a number of improvements to the classical Schoof-Pila algo- 

rithm for genus 2 curves with explicit and efficient real multiplication (RM). For explicit 
RM curves over Fp, we reduce the complexity of Schoof-Pila from O(log^p) to O(log^p). We 
applied a first implementation of our algorithms to find prime-order Jacobians over 128-bit 
fields (comparable to prime-order elliptic curves over 256-bit fields, and therefore suitable for 
contemporary cryptographic applications). Going further, we were able to compute the order 
of an RM Jacobian defined over a 512-bit prime field, far beyond the cryptographic range. 
(For comparison, the previous record computation in genus 2 was over a 128-bit field.) 

While these RM curves are special, they are not "too special": Every ordinary genus 2 
Jacobian over a finite field has RM; our special requirement is that this RM be known in 
advance and be efficiently computable. The moduli of curves with RM by a fixed ring form 2- 
dimensional subvarieties (Humbert surfaces) in the 3-dimensional moduli space of all genus 2 
curves. We can generate random curves with the specified RM by choosing random points 
on an explicit model of the corresponding Humbert surface [10]. In comparison with elliptic 
curves, for which the moduli space is one-dimensional, this still gives an additional degree of 
freedom in the random curve selection. To generate random curves with efficiently computable 
RM, we choose random curves from some known one and two-parameter families (see §4). 

Curves with efficiently computable RM have an additional benefit in cryptography: the 
efficient endomorphism can be used to accelerate scalar multiplication on the Jacobian, yield- 
ing faster encryption and decryption [11, 15, 18]. The RM formula are also compatible with 
fast arithmetic based on theta functions [6]. 



2 Conventional Point Counting for Genus 2 Curves 

Let C be a curve of genus 2 over a finite field F^, of odd characteristic, defined by an affine 
model = f{x), where / is a squarefree polynomial of degree 5 or 6 over Fg. Let Jc be 
the Jacobian of C; we assume Jc is ordinary and absolutely simple. Points on Jc correspond 
to degree-0 divisor classes on C; we use the Mumford representation for divisor classes to- 
gether with the usual Cantor-style composition and reduction algorithms for divisor class 
arithmetic [5, 2]. Multiplication by £ on Jc is denoted by [i], and its kernel by Jc[£]- More gen- 
erally, if (j) is an endomorphism of Jc then Jc[(f>] = ker(0), and if S is a set of endomorphisms 
then Jc[S] denotes the intersection of ker((/)) for (p in S. 

2.1 The Characteristic Polynomial of Probenius 

We let vr denote the Frobenius endomorphism of Jc, with Rosati dual vr^ (so vrvr^ = [q]). The 
characteristic polynomial of vr has the form 

X{T) =T^- siT^ + {S2 + 2q) - qs^T + q\ (1) 

where si and S2 are integers, and S2 is a translation of the standard definition. The polynomial 
x{T) determines the cardinality of Jc(Fgfc) for all k: in particular, ^Jc{¥q) = x(l)- We refer 
to the determination of x(^) &s the point counting problem. 

The polynomial x{T) is a Weil polynomial: all of its complex roots lie on the circle 1^1 = ^/q. 
This implies the Weil bounds 

\si\ < 4:./q and |s2| < 4g. (2) 

However, the possible values of (si,S2) do not fill the whole rectangle specified by the Weil 
bounds. Riick [17, Theorem 1.1] shows that in fact si and S2 satisfy 

si - 4s2 > and S2 + 4g > 2|si|, 

so the possible values of (si, S2) are in the following domain: 




2.2 The Classical Schoof Pila Algorithm for Genus 2 Curves 

The objective of point counting is to compute xi^), or equivalently the tuple of integers 
(si,S2). When the characteristic of ¥g is large, the conventional approach is to apply the 
Schoof-Pila algorithm as far as is practical, before passing to a baby-step giant-step algorithm 
if necessary (see §2.5). The strategy of Schoof 's algorithm and its generalizations is to compute 
the polynomials Xt{T) = x(^) mod {i) for sufficiently many primes (or prime powers) £ to 
reconstruct x{T) using the Chinese Remainder Theorem. 
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Since Xe{T) is the characteristic polynomial of tt restricted to Jc[£] (see [16, Proposition 
2.1]), we have 

Xe{TT){D) = for all D in Jc[e]. 

Conversely, to compute Xi{T) we let D be a generic element of Jc[£] (as in §2.3 below), 
compute the three points 

{7r^ + [q]f{D), {7r^ + [q])7r{D), and tt^D), 

and then search for the coefficients (si, S2) of Xe{T) in (Z/£Z)^, for which the linear relation 

(tt^ + [q]f{D) - [s,] (tt^ + [q])n{D) + [^2] tt^D) = (3) 

holds. If the minimal polynomial of tt on Jc[£] is a proper divisor of xe{T) — which occurs 

for at most a finite number of i dividing disc(x) — then the polynomial so determined is not 
unique, but Xei'^) can be determined by deducing the correct multiplicities of its factors. 

Once we have computed Xii^) for sufficiently many i, we reconstruct x(^) using the 
Chinese Remainder Theorem. The Weil and Riick bounds together with a weak version of the 
prime number theorem tell us how many i are required: Pila notes in [16, §1] that the set of 
0(log q) primes £ < 21 log q will suffice. We analyse the complexity of the classical Schoof-Pila 
algorithm in §2.4. 

2.3 Endomorphisms and Generic Kernel Elements 

We now recall how to contruct an effective version of a generic ^-torsion element. We present 
it in a slightly more general setting, so that we can use this ingredient in the subsequent 

RM-specific algorithm. Therefore, we show how to compute with a generic element of the 
kernel of some endomorphism ^ of Jc, whereas is just [£] in the classical algorithm. 

Definition 1. Fix an embedding P t-> Dp of C in Jq- We say that an endomorphism (j) 
of Jc is explicit if we can effectively compute polynomials do, di, ^2, cq, ei, and e^ such that if 
P = (xp,yp) is a generic point of C, then the Mumford representation of 4>{Dp) is given by 

nDp)={x+— — + — — r,y-yp{—, + — . (4) 

V d2{xp) d2{xp) \e2{xp) e2\xp)) ) 

The do, di, d2, eo, e\, and 62 are called the ^-division polynomials. 

If (j) is an explicit endomorphism, then wc can use (4) (extending Z-lincarly) to evaluate 
(p{D) for general divisor classes D in J^. In the case (j) = [£], the [^]-division polynomials are 
the ^-division polynomials of Cantor [3]. The ^-division polynomials depend on the choice 
of embedding P i-> Dp; we will make this choice explicit when computing the 0-division 
polynomials for each of our families in §4. 

To compute a generic element of Jc [</>] , we generalize the approach of [7] (which computes 
generic elements of Jc[^])- The resulting algorithm is essentially the same as in [7, §3] (except 
for the parasite computation step, which we omit) with ^-division polynomials replacing £- 
division polynomials, so we will only briefly sketch it here. 

Let D = (x^ + aix + ao, y — {hix + bo)) be (the Mumford representation of) a generic 
point of Jc- We want to compute a triangular ideal in Fg[ai, ao, 61, 60] vanishing on the 
nonzero elements of Jc[^]- The element D equals Df^^^^y^-^ + Df^^-^^y^-^, where {xi^yi) and (^2,1/2) 
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are generic points of C To find a triangular system of relations on the and 6j such that D 
is in Jc[(f\ we solve for xi, yi, X2, and 1/2 in 

applying (4) and using resultants computed with the evaluation-interpolation technique of [7, 
§3.1]. We then resymmetrize as in [7, §3.2] to express the result in terms of the aj and 6j. We 
can now compute with a "generic" element (x^ + aix + ao,y — {bix + bo)) of Jc[(f>\ by reducing 
the coefficients modulo after each operation. 

Following the complexity analysis of [7, §3.5], we can compute a triangular representation 
for Iff) in 0{S'^M{S)\ogS + M((5^)log(5) field operations, where S is the maximum among the 
degrees of the ^-division polynomials, and M(c/) is the number of operations required to 
multiply polynomials of degree d over ¥q. Using asymptotically fast multiplication algorithms, 
we can therefore compute in 0{6^) field operations. The degree of is in 0{6^y, with this 
triangular representation, each multiplication modulo costs 0{d^) field operations. 

2.4 Complexity of Classical Schoof— Pila Point Counting 

Proposition 1. The complexity of the classical Schoof-Pila algorithm for a curve of genus 2 
overFq is in 0{{logq)^). 

Proof. To determine x(r), we need to compute xe{T) for 0{logq) primes £ in O(logg). To 
compute x^(^)) we must first compute the ^-division polynomials, which have degrees in 
0{i'^). Wc then compute the kernel ideal If, according to the previous subsection, the total 
cost is in 0{i^) field operations. The cost of checking (3) against a generic element of Jc[£\ 
decomposes into the cost of computing Probenius images of the generic element in 0{i'^ log q) 
and of finding the matching pair (si, S2) in 0{£^) field operations. So the total complexity for 
computing X^(T) is in 0(^^(i?^ +logg)) field operations. In terms of bit operations, for each i 
bounded by O(logg), we compute Xe{T) in time 0((logg)^), and the result follows from the 
addition of these costs for all the different ^'s. □ 

2.5 Baby-Step Giant-Step Algorithms 

In practice, computing Xii^) with classical Schoof-Pila becomes impractical for large values 
of £. The usual approach is to carry out the Schoof-Pila algorithm to the extent possible, 
obtaining congruences for si and S2 modulo some integer M, before completing the calculation 
using a generic group algorithm such as baby-step giant-step (BSGS). Our BSCS algorithm 
of choice is the low-memory parallelized variant of the Matsuo-Chao-Tsuji algorithm [8, 12]. 

The bounds in (2) imply that the search space of candidates for (si,S2) is in 
and a pure BSGS approach finds (si, 82) in time and space 0{q'^^*). However, when we apply 
BSGS after a partial Schoof-Pila computation, we obtain a congruence for (si, S2) modulo M. 
If M < 8q, then the size of the search space is reduced to ©(g'^/^/M^), and the complexity 
for finding (si, S2) is reduced to 0{q'^^^ /M). For larger M, the value of si is fully determined, 
and the problem is reduced to a one-dimensional search space of size 0(q/M) for which the 
complexity becomes 0{\/q/M). 
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3 Point Counting in Genus 2 with Real Multiplication 

By assumption, Jq is ordinary and simple, so x(^) is an irreducible polynomial defining 
a quartic CM-field with real quadratic subfield Q(v^). We say that Jq (and C) has real 
multiplication (RM) by Q{\/A). For a randomly selected curve, A is in 0(g); but in the 
sequel we consider families of curves with RM by Q(\/^) for small Z\ (= 5 or 8), admitting 
an explicit (in the sense of Definition 1) endomorphism (j) such that 

Z[0] = Q(V^) n End( Jc) (5) 

(that is, is the full real subring of End(Jc)), and 

disc(Z[(^]) = A. 

We presume that the trace Tr((/)) and norm N((/)), such that 0^ — Tr{(p)(j) + = 0, are 

known. We also suppose that (/) is efficient, in the following sense: 

Definition 2. We say that an explicit endomorphism (j) is efficiently computable if the cost 
of evaluating (p at points of Jci^q) requires only 0(1) field operations (comparable to a few 
group operations in Jc)- In practice, this means that the (f)-division polynomials have small 
degree. 

The existence of an efficiently computable (f) and knowledge of A allows us to make sig- 
nificant improvements to each stage of the Schoof-Pila algorithm. Briefly: in §3.2 we use (p to 
simplify the testing procedure for each £; in §3.3 we show that when £ splits in Z [(/>], we can 
use ^ to obtain a radical reduction in complexity for computing Xi{T)'i ^'^d in §3.4 we show 
that knowing an effective 4> allows us to use many fewer primes i. 

3.1 The RM Characteristic Polynomial 

Let ip = IT + TT^; we consider Z['i/;], a subring of the real quadratic subring of End(Jc). The 
characteristic polynomial of ip is the real Weil polynomial 

^T) = - siT + S2; (6) 
the discriminant of Z[ip] is Aq = sf — 4s2. The analogue for (si,Z\o) of Riick's bounds is 

{\si\ - A^f > Ao = sj - 4s2 > 0. (7) 
Equation (5) implies that Z[V'] is contained in Z[0], so there exist integers m and n such that 

ip = m + n(p. (8) 
Both s\ and S2 are determined by m and n: we have 

si = Tr(V') = 2m + nTr((/>) and S2 = N(V') = {si - n^A)/A. (9) 
In fact n is the conductor of l^^] in 'L[(p] up to sign: |n| = \L[(p] : Zf-i/j]], and hence 

Aq = disc(Z[V']) = sl- 4s2 = r?A. 
The square root of the bounds in (7) gives bounds on s\ and n: 

4\/g - > = \n\yfA > 0; 
In particular, < 4y/q and \n\ < A^^fqjA. Applying the relation in (9), we have the bounds 
|m| < 2(|Tr((^)| + \fA)^/^ and |n| < 4^97^- (10) 
Both \m\ and |n| are in 0{y/q). 
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3.2 An Efficiently Computable RM Relation 

We can use our efficiently computable endomorphism to replace the relation of (3) with a 
more efficiently computable alternative. Multiplying (8) through by vr, we have 

ipTT = TT^ + [q] = rmr + n(f)ir. 

We can therefore compute fh = m mod £ and n = n mod i by letting D he a generic ^-torsion 
point, computing the three points 

{Tr^ + [q]){D), 7r{D), and MD), 

and then searching for the fh and h mZ/£Z such that 

(tt^ + [q]){D) - [m]Tr{D) - [n](t)7r{D) = (11) 

holds; we can find such an rh and n in 0{£) group operations. 

Solving (11) rather than (3) has several advantages. First, computing (7r^ + [g])(D), Tr{D), 
and ^7r(-D) requires only two applications of Frobenius, instead of the four required to compute 
(tt^ + [q])'^{D), (tt^ + [q])7r{D), and Tr^{D) (and Frobenius applications are costly in practice). 
Moreover, either S2 needs to be determined in 0{q), or else the value of n in (3) leaves a sign 
ambiguity for each prime £, because only mod £ can be deduced from (si, 52)- In contrast, 
(11) determines n directly. 

3.3 Exploiting Split Primes in Q(V^) 

Let Z[(p] C End( Jc) be an RM order in Q((/)) ^ Q(\M). Asymptotically, half of all primes £ 
split: (£) = pip2 in Z[0], where pi + p2 = (1) (and this carries over to prime powers £). This 
factorization gives a decomposition of the ^-torsion 

Jc[i] = Jc[pl]®Jc[p2]- 

In particular, any ^-torsion point D can be uniquely expressed as a sum D = Di + D2 where 
Di is in Jc[pi]- 

According to the Cohen-Lenstra heuristics [4], more than 75% of RM fields have class 
number 1; in each of the explicit RM families in §4, the order ^[0] has class number 1. All 
ideals are principal in such an order, so we may find a generator for each of the ideals pj. 
Furthermore, the following lemma shows that we can find a generator which is not too large. 

Lemma 1. If p is a principal ideal of norm £ in a real quadratic order "^[(p], then there exists 
an effectively computable generator of p with coefficients in 0{\/£). 

Proof. Let a be a generator of p, and e a fundamental unit of Let 7 i-> 71 and 7 1-^ 72 
be the two embeddings of Z[^] in R, indexed so that |ai| > \a2\ and |£i| > 1 (replacing e 
with if necessary). Then R = log(|ei|) is the regulator of Set fi = £''^a, where 

k = [log{\ai/ V£\) / R]', then /3 = a + 60 is a new generator for p such that 

1 ^ \og{\Pi/V£\) ^ 1 

2 - R - 2 

From the preceding bounds, |/3i + /32| = |2a + bTr{(f))\ and — /32| = |6\/^| are bounded by 
Since Tr((/)), A and R are fixed constants, \a\ and |5| are in 0{V£). The "effective" 
part of the result follows from classical algorithms for quadratic fields. □ 
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Lemma 2. Let Jc be the Jacobian of a genus 2 curve over a finite field ¥g with an efficiently 
computable RM endomorphism (j). There exists an algorithm which, given a principal ideal p 
of norm I in computes an explicit generator a of p and the a-division polynomials in 

0{i) field operations. 

Proof. By Lemma 1, we can compute a generator a = [a] + [b](f> with a and b in 0{-\/I). The 
[a]- and [6]-division polynomials have degrees in 0{£), and can be determined in 0{i) field 
operations. The division polynomials for the sum a = [a] + [b](f> require one sum and one 
application of ip; and since (f) is efficiently computable, this increases the division polynomial 
degrees and computing time by at most a constant factor. □ 

We can now state the main theorem for RM point counting. 

Theorem 1. There exists an algorithm for the point counting problem in a family of genus 2 
curves with efficiently computable RM of class number 1, whose complexity is in 0{{\ogqf'). 

Proof. Let Jq be a Jacobian in a family with efficiently computable RM by ^[0]. Suppose 
that ^ is prime, {t) = pip2 in ^[0], and that the pj are principal. By Lemma 2 we can compute 
representative a-division polynomials for Jc for each p in {pi,p2} in time 0(t), hence generic 
points Di in Jc[pi]. 

We recall that (11) is the homomorphic image under tt of the equation 

■il;{D) - [rn\{D) - [n](t){D) = 0. 

When applied to Di in Jcfpi]' both and ^ act as elements of Z[(/)]/pj = 'Ljt'L. Moreover 
Xi = (f) mod pi is known, and it remains to determine yi = ip mod p^ by means of the discrete 
logarithm 

i^{D^) = [m]{Di) = [fh + nxi]{D,) 

in the cyclic group {Di) = TLjtTL. The application of tt transports this discrete logarithm 
problem to that of solving for yi in 

D'l = [yi]D', 

where D'^ = 7r(A) and = (tt^ + [q]){Di). By the CRT, from (yi,y2) in {Z/EZf we recover 
y in Z[(j)]/{£), from which we solve for {fh,n) in (Z/^Z)^ such that 

y = rn + n^ eZ[(f)]/{e). 

The values of (si, S2) are then recovered from (9). 

The ring Z[4>] is fixed, so as logq goes to infinity we find that 50% of all primes i split 
in Z[(/)] by the Chebotarev density theorem. It therefore suffices to consider split primes in 
O(logg). In comparison with the conventional algorithm presented in §2.2, we reduce from 
computation modulo the ideal for Jc[£] of degree in 0{i^), to computation modulo the ideals 
for Jc[pi] of degree in 0{i'^). This means a reduction from 0{£^{£'^ + \ogq)) to 0{i'^{£ + \ogq)) 
field operations for the determination of each x^(r), giving the stated reduction in total 
complexity from 0((logg)^) to 0((logg)^). □ 

Remark 1. Computing {m,n) instead of (si, S2) allows us to reduce the number of primes i 
to be considered by about a half, since by (10) their product needs to be in O(y^) instead of 
0{q). While this changes only the constant in the asymptotic complexity of the algorithm, it 
yields a significant improvement in practice. 
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Rem,ark 2. If Z[0] does not have class number 1, and if {£) = pip2 where the pi are not 
principal, then we may use a small complementary ideal (c) = C1C2 such that Cjpj are principal 
in order to apply Lemma 2 to a larger proportion of small ideals. Moreover, if (m, n) is known 
modulo c, this can be used to reduce the discrete log problem modulo £. Again, since a fixed 
positive density l/2h of primes arc both split and principal, where h is the class number 
of Z[0], this does not affect the asymptotic complexity. Moreover, the first occurrence of a 
nontrivial class group is for Z\ = 65, beyond the current range for which an explicit RM 
construction is currently known. 



3.4 Shrinking the BSGS Search Space 

In the context of the conventional Schoof-Pila algorithm, we need to find si in 0{yjq) and S2 
in 0{q). However, (8), and the effective form of (11) (valid for all points D of Jc), replaces 
the determination of (si,S2) with the tuple (m,n) of integers in 0{-yJq). As a result, the 
search space is reduced from 0{q^^'^) to 0{q). Thus the BSGS strategy can find (m, n) (which 
determines (si, S2)) in time and space O(y^), compared with 0(g^/^) when searching directly 
for (si,S2). 

As in the general case, if one knows (m, n) modulo an integer M, then the area of the 
search rectangle is reduced by a factor of M^, so we find the tuple (m, n) in 0{^fq/AI) 
group operations. Contrary to the general case of §2.5, since m and n have the same order of 
magnitude, the speed-up is always by a factor of M. 



4 Examples of Families of Curves with Explicit RM 

We now exhibit some families of curves and efficient RM endomorphisms that can be used as 
sources of inputs to our algorithm. 



4.1 Correspondences and Endomorphisms 

To give a concrete representation for endomorphisms of Jc, we use correspondences: that is, 
divisors on the surface CxC Suppose that 7^ is a curve on CxC, and let vri : 7^ — )■ C and 
7r2 : 7^ — T- C be the restrictions to TZ of the natural projections from C x C onto its first and 
second factors. We have a puUback homomorphism (vri)* : Pic(C) — ^ Pic (7?.), defined by 

where the preimages Q are counted with the appropriate multiplicities. (A standard moving 
lemma shows that we can always choose divisor class representatives so that each tt~^{P) 
is zero-dimensional.) We also have a pushforward homomorphism {772)* : Pic (7^) Pic(C), 
defined by 



(^2)*([ 



n, 



Note that (tti)* maps Pic"(C) into Pic^'"^^^''^\n) and (tts)* maps Pic"(7^) into Pic"(C) for 
all n. Hence (7r2)* o (tti)* maps Pic°(C) into Pic°(C), so we have an induced endomorphism 



= (7r2)* o (tti)* : Jc Jc- 
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We write xi,yi and X2,y2 for the coordinates on the first and second factors of CxC, 
respectively (so 7Ti(xi,yi, X2,y2) = ixi,yi))- In our examples, the correspondence TZ will be 
defined by two equations: 

7^ = V{A{xi,X2),B{xi,yi,X2,y2)) ■ 

On the level of divisors, the image of a generic point P = {xp,yp) of C (that is, a generic 
prime divisor) under the endomorphism (f) is given by 

: {xp, yp) I — > V{A{xp, x),B{xp, yp, x, y)) . 

Using the relations j/p = f{xp) and = f{x) (and the fact that correspondences cut out by 
principal ideals induce the zero homomorphism) , we can easily replace A and B with Cantor- 
reducible generators to derive the Mumford representation of i?!>(-P), and thus the (?!)-division 
polynomials. 

4.2 A 1-dimensional Family with RM by Z[(l + a/s) /2] 

Let t be a free parameter, and suppose that q is not a power of 5. Let Ct be the family of 
curves of genus 2 over Fg considered by Tautz, Top, and Verberkmoes in [19, Example 3.5], 
defined by 

Ct : / = x^ ~ 5x^ + 5x + t. 

Let T5 = Cs + Cs"^) where ^5 is a 5th root of unity in F^. Let 4>t be the endomorphism induced 
by the (constant) family of correspondences 

TZt = V{x\ + xl- T5X1X2 + r| - 4, yi - ^2) C Ct x Ct- 

(Note that TZt and 0t are defined over Fg(r5), which is equal to ¥q if and only if g ^ 
±2 mod 5.) The family Ct has an unique point Poo at infinity, which we can use to define an 
embedding 

P = {xp, yp) ^ Dp := [(P) - (Poo)] ^ {x-xp,y- yp) 
of Ct in Jc^- With respect to this embedding, the ^T-division polynomials are 

d2 = 1, di = —T5X, do = a;^ + t| — 4, 62 = 1, ei = 0, cq = 1. 

Proposition 2. The minimal polynomial ofcpj^ is T'^+T—1: that is, 4>t o,cts as multiplication 
by -(1 + V5)/2 on Jc^. A prime £ splits into two principal ideals in Z[^t] if and only if 
i = ±1 mod 5. 

Proof. The first claim is proven in [19, §3.5]. More directly, if P and Q are generic points of 
Ct, then on the level of divisors we find 

(4 + </'t)((p) - m = (p) - (Q) + div • 

Hence Z[(/)t] is isomorphic to the ring of integers of Q(V5). The primes £ splitting in Q(\/5) 
are precisely those congruent to ±1 modulo 5; and Q(\/5) has class number 1, so the primes 
over £ are principal. □ 

The Igusa invariants of Ct, viewed as a point in weighted projective space, are (140 : 550 : 
20(32^2 - 3) : 25(896*^ - 3109) : 64(t2 - 4)^); in particular, Ct has a one-dimensional image 
in the moduli space of curves of genus 2. The Jacobian of the curve with the same defining 
equation over Q{t) is absolutely simple (cf. [11, Remark 15]). 
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4.3 A 2-dimensional Family with RM by Z[(l + v^)/2] 

Let s and t be free parameters, and consider the family of curves Cu '■ = F^^x), where 

Fh{x) = sx^ - {2s + t)x^ + (s^ + 3s + 2t- l)x^ -{3s + t- 3)x'^ + (s - 3)x + 1. 

This family is essentially due to Humbert; it is equal to the family of Mestre [13, §2.1] with 
{U,T) = {s,t), and the family of Wilson [20, Proposition 3.4.1] with {A,B) = (s,-t-3s + 3). 
The family has a full 2-dimensional image in the moduli space of genus 2 curves. 
Let TZn be the family of correspondences on Ch x Ch defined by 

7^H = V[x\xl + s{s - VjxiX'i - s^{xi - X2) + s^, yi - yi) ; 

let <^H be the induced endomorphism. The family Ch has a unique point Pqo at infinity, which 
we can use to define an embedding 

P = (xp, yp) ^ Dp := [(P) - (Poo)] ^{x-xp,y- yp) 

of Ch in Jc^ . With respect to this embedding, the 0H-division polynomials are 

^2 = x^, d\ = (s^ — s)x + s^, do = —s^x + s^, 62 = 1, e\ = 0, cq = 1. 

Proposition 3. The minimal polynomial of (t>-a isT^+T—1: that is, (j)^^ acts as multipliction 
by -(1 + \/5)/2 on Jc^^. A prime i splits into two principal ideals in ^[^h] if and only if 
£ = ibl mod 5. 

Proof. The first assertion is [13, Proposition 2] with n = 5; the rest of the proof is exactly as 
in Proposition 2. □ 

4.4 A 2-dimensional Family with RM by Z[a/2] 

For an example with A = 8,we present a twisted and reparametrized version of a construction 
due to Mestre [14]. Let s and t be free parameters, let v{s) and n{s) be the rational functions 

s2 + 2 Asjs^ + 4) 

i; = ^(s):=___ and n = n{s) := j^-^ , 

and let Cm be the family of curves defined by 

Cm : = Fuix) := {vx - l){x - v){x'^ - tx"^ + vt- 1). 
The family of correspondences on Cm x Cm defined by 

/ x\x2 - v'^{x\ + x\) + 1, 



^ \y1y2 - n{x\ + x| - t){xiX2 - v{xi + X2) + 1) 

induces an endomorphism (f)M of Jc^ . 

The family Cm has two points at infinity, P^ and P^. which are generically only defined 
over a quadratic extension of Fg(s,t). Let Dqo = (-P00) + (^00) denote the divisor at infinity. 
We can use the rational Weierstrass point P^ = {v, 0) on Cm to define an embedding 

P = {xp, yp) ^ Dp := [(P) + (P^) - Doo] ^ ({x -xp){x-v),y- -^{x - v)) 

\ Xp — V / 
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of Cm in Jcy^ (the appropriate composition and reduction algorithms for divisor class arith- 
metic on genus 2 curves with an even-degree model, such as Jc^, appear in [5].) With respect 
to this embedding, the (?!)M-division polynomials are 

di = 0, ei = n{x — v){x^ — tx'^ + tv'^ — 1), 

do = —v^x^ -1-1, Co = n{vx — l)(a;^ — tx^ + tv^ — 1). 

Proposition 4. The minimal 'polynomial o/^m is — 2: that is, 4>m acts as multiplication 
by on Jcyi ■ A prime I splits into two principal ideals in Z[^m] if and only if£ = ±1 mod 8. 

Proof. Let P and Q be generic points of Cm- An elementary but lengthy calculation shows 
that on the level of divisors, 

4>Ia{{p) - (Q)) = m - 2(Q) + div (l^fl^ 

so (pl^iiD]) = 2[D] for all [D] in PicO(CM). Hence = [2], and Z[0m] is isomorphic to the 
maximal order of Q{^/2). The primes £ splitting in Q{^/2) are precisely those congruent to 
±1 modulo 8; further, Q(-\/2) has class number 1, so the primes over £ are principal. □ 

Remark 3. As noted above, this construction is a twisted reparametrization of a family of 
isogenies described by Mestre in [14, §2.1]. Let ai and 02 be the roots of T'^ — tT + v^t — 1 in 
Fg(w,t). Mestre's curves C and C are equal (over Fg(f, 01,02)) to our Cm and its quadratic 
twist hy A = 2(f^ — l){v^ + 1)^ = (2n)^, respectively. We may specialize the proofs in [14] to 
show that Cm has a two-dimensional image in the moduli space of curves of genus 2, and that 
the Jacobian of the curve with the same defining equation over Q(s, t) is absolutely simple. 
Constructions of curves with RM by Z[\/2] are further investigated in Bending's thesis [1]. 

Remark 4- The algorithms described here should be readily adaptable to work with Kummer 
surfaces instead of Jacobians. In the notation of [6], the Kummers with parameters (a, b, c, d) 
satisfying 6^ = — — d"^ have RM by 7i[\/2\, which can be made explicit as follows: the 
doubling algorithm decomposes into two identical steps, since {A : B : C : D) = (a : b : c : d), 
and the components after one step are the coordinates of a Kummer point. The step therefore 
defines an efficiently computable endomorphism which squares to give multiplication by 2. 



5 Numerical Experiments 



We implemented our algorithm in C++ using the NTL library. For non-critical steps, including 
computations in quadratic fields, we used Magma for simplicity. With this implementation, 

the determination of x{T) for a curve over a 128-bit prime field takes approximately 3 hours 
on one core of a Core2 processor at 2.83 GHz. This provides a proof of concept rather than 
an optimized implementation. 



5.1 Cryptographic Curve Generation 

When looking for a cryptographic curve, we used an early-abort strategy, where we switch to 
another curve as soon as either the order of the Jacobian order or its twist can not be prime. 
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Using our adapted version of Schoof algorithm, we guarantee that the group orders are not 
divisible by any prime that splits in the real field up to the CRT bound used. 

In fact, any prime that divides the group order of a curve having RM by the maximal 
order of Q(\/^) must cither be a split (or ramified) prime, or divide it with multiplicity 2. 
As a consequence, the early abort strategy works much better than in the classical Schoof 
algorithm, because, it suffices to test half the number of primes up to our CRT bound. 

We ran a search for a secure curve over a prime field of 128 bits, using a CRT bound of 
131. Our series of computations frequently aborted early, and resulted in 245 curves for which 
x(T) was fully determined, and for which neither the group order nor its twist was divisible 
by a prime less than 131. Considering these twists, this provided 490 group orders, of which 
27 were prime, and therefore suitable for cryptographic use. We give here the data for one 
of these curves, that was furthermore twist-secure: both the Jacobian and the twist Jacobian 
order are prime. 

Let C/¥q, where q = 2^^^ + 573, be the curve in the family Ct of §4.2 specialized to 
t = 75146620714142230387068843744286456025. The characteristic polynomial x{T) is deter- 
mined by 

(si,S2) = (-26279773936397091867, -90827064182152428161138708787412643439), 
giving prime group orders for the Jacobian: 
115792089237316195432513528685912298808995809621534164533135283195301868637471, 

and for its twist: 

115792089237316195414628441331463517678650820031857370801365706066289379517451. 
We note that correctness of the orders is easily verified on random points in the Jacobians. 

5.2 A Kilobit Jacobian 

Let q be the prime 2^^^ + 1273, and consider the curve over ¥q from the family Ct of §4.2 
specialized at 

t = 2908566633378727243799826112991980174977453300368095776223 
2569868073752702720144714779198828456042697008202708167215 
32434975921085316560590832659122351278. 

This value of t was randomly chosen, and carries no special structure. We computed the values 
of the pair (si mod i, n mod i) for this curve for each split prime i up to 419; this was enough 
to uniquely determine the true value of (si,n) using the Chinese Remainder Theorem. The 
numerical data for the curve follows: 

A = 5 

si = -10535684568225216385772683270554282199378670073368228748 

7810402851346035223080 
n = -37786020778198256317368570028183842800473749792142072230 

993549001035093288492 
S2 = (si - n^A)/A 

= 990287025215436155679872249605061232893936642355960654938 
008045777052233348340624693986425546428828954551752076384 
428888704295617466043679591527916629020 
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The order of the Jacobian is therefore 

N= (1 - +g) + .S2 

= 179769313486231590772930519078902473361797697894230657273 
430081157732675805502375737059489561441845417204171807809 
294449627634528012273648053238189262589020748518180898888 
687577372373289203253158846463934629657544938945248034686 
681123456817063106485440844869387396665859422186636442258 
712684177900105119005520. 

The total runtime for this computation was about 80 days on a single core of a Core 2 clocked 
at 2.83 GHz. In practice, we use the inherent parallelism of the algorithm, running one prime £ 
on each available core. 

We did not compute the characteristic polynomial modulo small prime powers (as in [9]), 
nor did we use BSGS to deduce the result from partial modular information as in §3.4 (in- 
deed, we were more interested in measuring the behaviour of our algorithm for large values 
of £). These improvements with an exponential-complexity nature bring much less than in the 
classical point counting algorithms, since they have to be balanced with a polynomial-time 
algorithm with a lower degree. For this example, we estimate that BSGS and small prime 
powers could have saved a factor of about 2 in the total runtime. 

5.3 Degrees of Division Polynomials 

For each prime i splitting in Z[(/)t], we report the degree of the a-division polynomial 0^2 
(where a is the endomorphism of norm i that was used). By Lemma 1, deg(d2) is in 0{£); the 
table below gives the ratio deg{d2)/£, thus measuring the hidden constant in the 0{) notation. 



e 


11 


19 


29 


31 


41 


59 


61 


71 


79 


89 


101 


109 


131 


deg d2/i 


1.82 


2.05 


2.07 


1.94 


2.05 


2.10 


1.97 


2.03 


2.01 


2.02 


1.98 


2.02 


2.02 


e 


139 


149 


151 


179 


181 


191 


199 


211 


229 


239 


241 


251 


269 


deg d2/i 


2.12 


2.04 


1.99 


2.00 


2.01 


2.09 


2.21 


1.99 


2.18 


2.01 


2.05 


2.07 


2.17 


£ 


271 


281 


311 


331 


349 


359 


379 


389 


401 


409 


419 






degd2/£ 


2.01 


1.99 


2.11 


2.12 


2.13 


2.02 


2.00 


2.16 


2.03 


2.10 


2.00 







We have deg{di) = deg{d2) + 1 and deg(cio) = deg(d2) -|- 2. All of these degrees depend only 
on the curve family Ct, and not on the individual curve chosen. 
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